You are currently browsing articles tagged cloud.

FIVEaa logoThe third and final of today’s radio spots about the alleged hack of Apple’s iCloud service was at lunchtime, so I’d had time to wake up and gather my thoughts — as well as see how the infosec community was reacting.

The afternoon presenter on 1395 FIVEaa in Adelaide, Will Goodings, gave it plenty of time too, some 14 minutes, so we covered quite a few issues — including the privacy implications of cloud technology generally.

I sound a bit tired or something, though. Possibly because I was tired.


The audio is ©2014 dmgRadio Australia.

Today’s previous two radio spots were for Nova 100 Melbourne and ABC Radio’s AM.

ABC logoA few minutes after doing the live spot on Nova 100, I recorded an interview on the alleged Apple iCloud hack for ABC Radio’s national current affairs program AM.

Reporter Emily Bourke would have gone away with a disjointed mess of soundbites, but the disjointedness isn’t so important when it’ll be edited into a multi-voice report.

I think this one quote best summarises my view of the compromise we enter into when using cloud services:

The big problem with creating massive online cloud storage systems — which is now the way we do things on the internet, whether it’s Apple or Microsoft or Google or Amazon or whoever — is that you create a vast honey pot of a target for the attackers.

Once you find one way to get in, you can potentially get access to hundreds of thousands, if not millions of people’s data.

The plus side is such concentrated services means they can hire some of the best security people they can find, putting brains onto the problem is obviously important. So at one level the cloud providers can, if they do it right, protect things far better than you or I could on computer systems under our own control.

The failures are therefore going to be far less frequent. It’s just that when the failures do happen they can be catastrophic.

Here’s the full story, served directly from the ABC website, where you can also read the transcript.


The audio is of course ©2014 Australian Broadcasting Corporation.

A few sentences of my comments were also used in a later report on The World Today at lunchtime, which featured security researcher Troy Hunt.

Nova logoIt’s starting to look like an alleged hack of Apple’s iCloud service was the source of a series of nude photos of female celebrities that has appeared online. That news led to a series of radio appearances for me today. Starting with this one.

The story itself has already been widely reported, and I won’t go into any detail about the victims of this invasion of privacy. One good place to start is this summary at The Guardian, and there’s more technical details at TUAW. These blog posts will simply present the media spots that I did.

First up was Nova 100 in Melbourne. This was done live with breakfast presenters Meshel and Tommy at 0720, and my coffee hadn’t kicked in yet. That’s why I screwed up my first, embarrassingly-wrong go at the explanation — at least that’s my excuse and I’m sticking to it.


It seems Meshel was quite taken with my name. That’s so sweet.

The audio is ©2014 dmgRadio Australia.

My presentation from the Saasu Cloud Conference 2012, which I told you about previously, is now online: Security and the Cloud: Hype versus Reality.

I’ll leave the article to explain itself once you click through, but to provide some Googlejuice here are the words hacking, infosec, cybercrime, cyberwar, information security, malware and cows.

Here are the background notes and further reading for my presentation at the Saasu Cloud Conference on 11 May 2012, “Security and the Cloud: Hype versus Reality”.

This presentation was a quick run-through of what I think have been the most important themes from the past 12 to 18 months.

About two-thirds of what I write touches upon information security, cybercrime, cyberwar, or privacy and transparency issues.

If you’d like the full firehose of information, please stay in touch via my list of written articles, the compilation of my media work in my Weekly Wrap posts and — if you don’t mind seeing my less-presentable public face as well as my serious work — my high-volume Twitter feed.

If you have any questions or comments, do please add them below. I’ll generally respond within 48 hours.

Things are very scary…

2011 was billed as the year of the hacker, and the year of the hacktivist. And yes, it was bad.

Hackers working under the Anonymous brand compromised Sony’s PlayStation network, costing the company $170 million.

Anonymous also hacked Stratfor, a US private intelligence analysis firm, stealing their 10-year archive of confidential emails and apparently handing them to WikiLeaks.

Anonymous splinter group LulzSec hacked into Rupert Murdoch’s News International, including UK newspaper The Sun — although it seems that most of LulzSec has since been arrested when their leader was turned and became an FBI informant.

Random hackers even defaced a Tasmanian government website. How very dare they.

Mid-year, McAfee told us about Operation Shady RAT, a five-year program by an unnamed nation state that had infiltrated dozens of organisations around the world. Most of them didn’t even know they were hacked.

We heard how the Stuxnet worm attacked Iran’s nuclear program — although the attack itself took place the previous year — leading to claims that 2012 would be the year of cyberwar. Atomic explosions illustrated the cover of books like Cyberdeterrence and Cyberwar by Martin C Libicki.

… but we don’t really know

Despite all the hype, we have no reliable figures on the extent of the problem.

Online crime is under-reported and under-researched. Plenty of people have called for mandatory reporting of cybercrime, including the chief technology officer of AVG
and Detective Superintendent Brian Hay of the Queensland Police. Me too.

Major security companies avoid telling us the facts and continually promote dubious statistics.

McAfee’s claims about Shady RAT were mostly hand-waving, quite probably exaggeration.

Sophos reckons this focus on high-profile attacks distracts us from the real threats.

The report on Cyber Storm III, the latest in a series of five-nation cybersecurity exercises, told us nothing.

“The exercise provided insight into key decision making processes within government, business and industry. These insights could not have been achieved without processes being tested in an exercise,” the report reveals. Gaps were identified. Improvements made. Relationships built.

Introducing the hacker

Jasmine Singh Cheema, aka Pherk, aka Zero Cool, is a typical hacker and the most likely threat you’ll face.

Cheema did $1.5 million of damage to his employer’s competitors in 2005 in exchange for a few sneakers and a watch. His story is told in Tracking Cybercrooks: the tools feds use and Hacker’s Delight.

The story of the December 2011 extortion attempt against Sulieman Ravell’s financial advisory business is told in the Manly Daily, and I spoke with him at length in a subsequent Patch Monday podcast.

Israeli researcher Tal Be’ery has monitored Anonymous and LulzSec. He reckons Anonymous hacktivists prefer penetration, but choose targets of opportunity. I spoke with him for the Patch Monday podcast too, Removing the anonymity from Anonymous.

Most cybercriminals are stupid, but there’s a lot of them and the tools are cheap and easy to obtain. Your paper boy might hack your home network because you didn’t tip him.

The Cloud changes none of this…

… except for the complexity and your ability to understand what’s going on.

Most of the recent surveys have shown that when it comes to cloud computing, security is the number one concern. And every time I’ve looked at this in detail, the message from the information security experts has been get a lawyer.

That goes double in government circles.

Legal complexities make it difficult to use public cloud computing, according to Raimund Genes, Trend Micro’s chief technology officer. Unless you’re a criminal, that is.

“Public cloud for me is not really a security challenge. It is a change in the way we operate with data. It doesn’t decrease security. It increases complexity, and that’s a problem,” he told the company’s Canberra Cloud Security Conference.

“The cloud, from a legal point of view, will keep our internal lawyers and everybody else busy for the next fifty, one hundred years,” he said.

Hybrid clouds will probably be the answer, balancing the low price of public clouds for less critical with the increased ability to monitor private clouds for more critical data.

Mobile devices are changing everything — especially on the Android operating system, which could end up being a simmering security shemozzle.

You don’t know who your Friends of Friends are

The internet connects every computer directly with every other computer. That’s not new.

What is new is that we’re publishing more information than ourselves than ever before. And while we might think we’re sharing that information with our friends, or friends of friends — those terms are highly misleading.

We might think of friends-of-friends as someone we’d let a friend bring to dinner. But research by Sophos shows that half of the time people will automatically friend someone on Facebook, even if they know nothing about them. Friends of those friends could be literally anyone.

We don’t even know who our enemies are either. After all, anyone can call themselves Anonymous.

DSD has some great advice

According to the Defence Signals Directorate, the agency responsible for the protection of Australian government and military networks, four simple strategies can prevent 85% of targeted intrusions.

DSD has published the full list of the top 35 mitigation strategies.

This work won DSD the US Cybersecurity Innovation Award for 2001.

Evgeny (“Eugene”) Aseev, head of the Kaspersky’s China antivirus lab, has his own list of 18 infosec fails that let crims win.

This time we’re all in the front line

John Lawler, chief executive officer of the Australian Crime Commission (ACC) reckons we all need to harden up.

“There will always be exceptions — high-profile cases and particularly unique cases — where prosecution will be attempted,” he said, “where for deterrent purposes you’ll put a head on a stake somewhere, and I’m an advocate of that — not literally — where that becomes important for community confidence.” …

“I think it is absolutely essential for governments, for businesses, for the individual, to have the proper controls in place to prevent, or to harden the environment against, the cyber attack.”

Organisations must have audit controls, for example, particularly for digital information, and robust governance. They must understand security risks in their full complexity, both technical and human factors.

“That message hasn’t, I think, permeated — certainly in business — to the extent and level it needs to,” Lawler said.

And we need to make sure our data is encrypted, especially on portable media.

The problem is, it’s human nature to put security last.

Businesses need to start taking this more seriously. I’ve called for their to be less pep talk, more stick, and I reckon negligent data breaches should become a criminal offence. I’m not alone.


This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Australia License.

The non-commercial and share-alike conditions are required to adhere to the licensing of the imagery used. Please contact me if you require an alternative version. As a minimum, attribution should read: “Source: Stilgherrian.” Online versions must link the word Stilgherrian to the website at

[Image credits: Cows by Emmett Tullos III, used under a Creative Commons Attribution license (CC BY); photo of Jasmine Singh Cheemsa supplied by FBI via PCWorld Communications Inc; Clouds by Jerry Pierce (Flickr/Uncle Jerry) CC BY-NC-SA; Social graph image by Jim Bumgardner (Flickr/krazydad) CC BY-NC-SA; “Loose Tweets Sink Fleets” by Brian Lane Winfield Moore CC BY-NC-SA; “This time we are all in the front line” by Phil Bradley CC BY-NC-SA.]

On 11 May I’ll be delivering one of the keynote presentations at Saasu’s inaugural conference, the Saasu Cloud Conference 2012 in Sydney.

The cloud is the enabler, it’s the medium that automation grows in. We want to focus on the value of online accounting automation, why it’s often undervalued and how you can get some for your own business or practice.

Saasu makes the online accounting system that I’ve been using since July 2007, and I know the chief executive officer and founder Marc Lehmann and chief happiness officer Tony Hollingsworth.

Good leadership and a good attitude continues to deliver a good product. Well, I think so anyway. At least it works for me.

My keynote will be something about security and the cloud, obviously enough, but I’ll lock down the details before the end of this week.

Mind you, I wrote the ZDNet Australia feature Cloud security? Better get a lawyer, Son! in October 2010, and since then I’ve written Cloud could be ‘privacy enhancing’: Pilgrim and Hybrid clouds the eventual reality for risk management and Today’s cloud winners: the cybercriminals and Want government cloud? Rethink security! so I’ve got plenty of material to start with.

Saasu has kept the price down to a reasonable $99 for a full-day event. You can register online.

[Update 11 May 2012: I’ve just posted notes and background material for my presentation, Security and the Cloud: Hype versus Reality.]

A weekly summary of what I’ve been doing elsewhere on the internets, for those suffering from early-onset dementia.


  • Is Brisbane’s sewer broadband a crock of …?, for Crikey. Believing that the National Broadband Network will take too long to solve Brisbane’s internet problems, Lord Mayor Campbell Newman has signed a deal with the i3 Group to run fibre through the city’s sewers. As you do.
  • Cloud security? Better get a lawyer, Son!, a 2000-word feature for As the intro says, “Moving your data into the cloud creates a raft of security challenges, but according to information security specialists, those challenges are less about hackers and more about data availability and signing the right contracts.”


  • Patch Monday episode 61, “Microsoft exposes the botnet threat”. My guest is Microsoft Australia’s chief security advisor, Stuart Strathdee.
  • A Series of Tubes episode 117. Richard Chirgwin’s podcast returns after a bit of a break. Apart from my usual natter about stuff, we hear from i3 Group’s CEO Elfed Thomas about that Brisbane sewer-based fibre project.

Media Appearances

  • Again it’s not strictly “media”, but on Tuesday I took part in a lunchtime discussion about the future of book publishing, hosted by Blurb. I haven’t had time to write it up yet, but here’s Ross Dawson’s summary.


  • Wait for it…

Corporate Largesse

  • Blurb paid for Tuesday’s lunch at History House on Macquarie Street. And very pleasant it was.
  • I was invited to a few other things this week, but I was a tad crook and didn’t go. Ethics are restored, or something.


Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream. The photos also appear on Flickr, where I eventually add geolocation data and tags.

[Photo: Staff of The Duke, Enmore, dress up for The Village People concert at the Enmore Theatre. I won’t link to a higher-resolution version. We have suffered enough.]